First-party fraud: Why it is the hardest to prove

Victim of web fraud

Share this post

The current economic climate is making first-party fraud – also known as friendly fraud – more appealing to those struggling financially. Sarah Jordan and Stephanie Kattah examine the challenges facing businesses and merchants in tackling this crime.

One in seven UK adults admitted to participating in firstparty fraud (FPF), according to research by Cifas; while figures from the National Fraud Database showed an 18% increase in FPF within the first nine months of 2021.

FPF is when a customer commits a deceptive act by taking advantage of their role and rights within the payment ecosystem. The current cost-of-living crisis and high inflation rates have further driven customers to succumbing to either committing fraud themselves or becoming easily manipulated by others.

There is concern that the upcoming Payment Systems Regulator’s (PSR) authorised push payments (APP) fraud reimbursement requirement may also lead to a further rise in FPF as customers may take advantage of the chargeback protections provided to them.

We have spoken with firms across the payment’s ecosystem including merchants, acquirers, card schemes and issuers, to find out some of the FPF challenges and best practice regarding support from firms in tackling this issue.

What is first-party fraud?

FPF occurs when a person knowingly misrepresents their identity or gives false information for financial or material gain. FPF can take many forms, common types include:

Chargeback fraud: Also known as friendly fraud, this takes place when a customer requests a refund regarding a transaction for an item or service that they claim they have not received or is not as expected. However, it is a legitimate payment made by the customer who intends to keep the item or service without payment.

Refund fraud: Occurs when customers return allegedly broken, stolen, or counterfeit items in exchange for a refund.

• Application fraud: Takes place when a customer provides false information regarding their personal details, such as their level of income, to gain a more favourable outcome on a loan or credit line.

• De-shopping: When a customer buys an item, uses it, and then returns it as if unused to the merchant for a refund.

What are the current issues and challenges?

Although customers may believe what they are doing is harmless, it is fraud and the impact on firms across the payments ecosystem is increasing.

The pandemic exacerbated the issue as stores were forced to close and retailers needed to differentiate online by making
delivery and returns a simple part of the customer experience.

Retailers experienced 70% more monthly fraud attempts during the 2020 lockdown in comparison to previous years, according to finance online.

Merchants tell us their industry is still greatly impacted by FPF, with trends in customers reporting false chargebacks and disputes.

The hardest fraud to capture or prove is that committed by the customer, especially if they have a history of good behaviour and creditworthiness.

FPF moves the burden of proof to the merchant and away from the customer raising the claim. Merchants are currently required to cover loss of inventory costs for fraudsters who are successful when they falsely claim a chargeback or refund on an item or service they received.

Due to the challenges in proving FPF, in addition to providing proof to card issuers, a merchant may need to meet differing scheme standards to prove a chargeback or dispute, therefore fraud figures quoted are said to be ‘the tip of the iceberg’. According to the Merchant Risk Council’s 2023 report, more than one-third of merchants experience first-party misuse or friendly fraud, with enterprises, in particular, seeing a significant spike in this activity.

Because of the cost firms incur trying to prove FPF, some have simply had to accept a level of fraudulent activity and unfortunately the fraudsters know that and will move around merchants making similar claims.

Therefore, the real level of FPF is much higher than reported and there is a risk that smaller merchants that do not have the resources to invest in fraud detection and prevention tools are disproportionately impacted.

Firms now find they need to balance the risk of fraud with their customer experience. This is because genuine customers may feel strained in their relationship with the organisation if they become subject to the increased checks and scrutiny when they need a legitimate refund or require a chargeback.

Furthermore, businesses that are targets for FPF have an increased risk perception to merchant acquirers resulting in them charging a higher fee for their services.

Simultaneously, organisations are evolving in their platforms and technology to remain on top of the market and enhance their customer journey with the aim to improve business.

The demand for onboarding and increased usage of simplified due diligence or outsourced onboarding are ways in which the payments ecosystem is evolving.

In 2021 we saw the total number of payments return to pre-pandemic levels and a return towards the long-run trends in payment method usage.

Contactless continued to be popular, accounting for almost a third of all payments, insights from UK Finance showed.

Evolving systems, policies and technology across the ecosystem may lead to manipulation by criminals to commit FPF a processes become simpler and fraudsters develop their own techniques to exploit vulnerabilities and weaknesses in internal processes and systems.

The PSR published a policy statement in June (2023) setting out a new reimbursement requirement for APP fraud that applies where payments are executed over the Faster Payment System with some exceptions.

Exceptions include FPF or where victims have acted with gross negligence and in these cases, reimbursement will not apply.

A further PSR consultation is expected to provide guidance on gross negligence.

With an expectation that reimbursement mechanisms are put in place and as customers become increasingly aware of their right to reimbursement in the case of APP, there is risk that customers will falsely allege APP fraud to seek reimbursement.

This customer behaviour is expected to be driven by the same factors we see today in the fight against FPF: the ease
of claiming, the current economic climate, and the burden of proof challenge for firms.

In the event this risk crystallises as expected, it will be another contributing factor to increasing levels of FPF we are seeing across the payment’s ecosystem.

How can the industry approach the issue?

FPF is unique in nature and can be unpredictable in cases but there are steps that can be taken to prevent, detect and respond to this threat. This comprises strong controls, processes, intelligence sharing and customer education.

Initial screening and verification tools at the customer onboarding stage are crucial in identifying suspicious behaviour early and authenticating customer identities to identify the risk of fraudulent accounts.

Data analytics and artificial intelligence (AI) can be used to determine trends and anomalies. A robust AI enabled rule management system is also required to detect suspicious or unusual transactional behaviour by analysing loss trends and continually updating thresholds to ensure fraudsters have difficulty in avoiding rules, while maintaining low false positive rates to minimise genuine customer impact. Customers who have repeat claims for example, can be an indicator of FPF.

Communication through customer education, raising public awareness and internal employee training can also educate parties about the types of FPF, how potential risks can be identified and prevented, raise awareness of trends, and highlight the consequences of committing such criminal act.

In addition, there are other industries that can be learnt from, for example, nudge theory, which has been tried and tested in the insurance industry for some time.

Nudge theory is a technique whereby the customer is reminded of the importance of being truthful upfront during the client relationship and gently highlights the implications of being caught committing fraud to deter clients from FPF.

It is proven to encourage customers to make good decisions when their moral compass is being swayed due to financial struggles. For example, many banks also utilise challenge teams for fraud cases where spurious transactions are added to a claim.

Finally, intelligence sharing and a combined effort across industry to tackle the problem will help to reduce it. There are various forums where information has been shared on FPF between merchants, acquirers and issuers.

However these are largely informal and do not bring together the various ecosystem role holders to create a holistic view and approach to managing the risk.

CIFAs and UK Finance are organisations that provide cross-sector collaboration, and the industry could utilise them to tackle the issue holistically, such as with cross payment industry sessions.

A coordinated effort bringing together firms within the payments ecosystem and include reviewing standards and rules so that the nuance of FPF can be used to better manage the risks and encourage consistency of criteria for proving it.

Intelligence sharing mechanisms can also be used across institutions of those customers with a record of claiming refunds
and chargebacks.

What’s next

Increased distant selling, increased players in the payments chain, and a regulatory focus on consumer outcomes has
created the perfect storm for FPF.

Furthermore, within an era of advanced technology, firms need to be prepared for the equally sophisticated techniques used by fraudsters to prevent financial losses, reputational damage, and increased regulatory liability.

Our combined industry and client experience allows us to conclude that understanding the behaviours of FPF and implementing a robust prevention, detection, and response fraud management framework, including robust controls, customer education, and intelligence sharing, across the payments ecosystem will collectively strengthen an organisation’s defence against such deceptive acts.

With the upcoming PSR fraud reimbursement requirement for APP adding further challenges, it’s important the industry
acts now to address this growing risk.

Sarah Jordan is a member of The Payments Association’s Project Financial Crime and director of financial advisory –
forensics at Deloitte. And Stephanie Kattah is a manager of financial advisory – forensics at Deloitte.

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?